One-third of IT professionals said they use administrative passwords that give them privileged and anonymous access to virtually any system, according to the research from Cyber-Ark Software, an information security company based in Newton, Mass. The survey, which polled more than 200 IT professionals, was done at last month's Infosecurity Exhibition Europe as part of Cyber-Ark's yearly survey on "Trust, Security and Passwords."
"Why does it surprise you that so many of us snoop around your files? Wouldn't you if you had secret access to anything you can get your hands on?" said one IT administrator when he was answering the survey.
That ability to secretly pull up personal and business sensitive information can turn ugly when IT workers feel disgruntled -- and especially after they've been fired. According to a recent study by Carnegie Mellon University, a disgruntled IT employee using anonymous access from a privileged account is the most the most common type of insider attack. Of those surveyed, 15% said their company has suffered an insider attack.
"It's surprising to find out how rife snooping is in the workplace," said Calum Macleod, European director for Cyber-Ark, in a written statement. "Gone are the days when you had to break into the filing cabinet in the personnel department to get at vital and highly confidential information. Now all you need to have is the administrative password and you can snoop around most places, and it appears that is exactly what's happening."
As if it's not bad enough that IT workers have so much access on the job, more than one-third said they could still access their company's network once they leave the job.
And why would they still have access? It's because companies rarely change their administrative passwords.
According to Cyber-Ark, one-fifth of all administrators admitted that they rarely change their passwords, while 7% say they never change administrative passwords. Another 8% said they're still using the default passwords that came with their systems.
While IT professionals have been shaking their heads for years about users' propensity for writing their passwords on a Post-It note stuck to their computers, the Cyber-Ark survey showed that much of that wonderment and disdain should be pointed at their own ranks. According to the study, 50% of IT workers do the exact same thing.
"Sure, it's easy for an employee to update the personal password to their laptop, but to change the Administrator password on that same machine?" an IT administrator told a researcher. "It would take days for IT to do them all by hand. In the end, we just pick one password for all the systems and write it down."